API Flaw Exposes Nissan LEAF Cars to Remote Attacks

An API used by Nissan to allow LEAF owners to manage their vehicles from a mobile phone is plagued by a vulnerability that allows hackers to remotely control some of the car’s features.

Nissan LEAF is the world’s best selling all-electric car. The manufacturer has developed Android and iOS applications designed to allow owners to manage their vehicle and control frequently used features remotely from their mobile phone.

While teaching a workshop in Norway last month, Australian security expert Troy Hunt was informed by one of his students who owned a Nissan LEAF that the app for iOS used only the car’s Vehicle Identification Number (VIN) for authentication. Further analysis revealed that the API leveraged by the mobile apps could be accessed anonymously, without any kind of authentication token being used.

Experts discovered that by knowing a Nissan LEAF’s VIN, they could send requests to enable and disable the climate control, obtain information on the vehicle’s status, and even collect driving history (e.g. power consumption, travel distance, date and time, number of trips).

Experiments conducted by Hunt with the help of UK-based researcher and LEAF owner Scott Helme showed that a remote attacker could easily turn on the AC of a parked car in an effort to drain its battery. Furthermore, the exposure of driving history information can pose a serious privacy risk, experts warned.

Fortunately, the LEAF mobile apps don’t allow users to lock or unlock the vehicle, or start it remotely.

At first glance it might not seem like such attacks are easy to carry out because the attacker needs to obtain the target’s VIN. However, it appears that the task might not be too difficult.

On all the Nissan LEAF vehicles seen by Hunt, the VIN is the same, except for the last five digits. This allows an attacker to send API requests using all possible combinations until they receive a response from a vehicle.

Hunt wasn’t the only one who discovered the vulnerability. The expert was contacted by someone from Canada who identified the same flaw. The issue had been discussed publicly on a French-language forum since December.

Hunt notified Nissan about the vulnerability on January 23, but a patch has yet to be released. Until a fix becomes available, users can protect themselves against potential attacks by logging in to their accounts from a web browser and disabling the service from the configuration menu.

The car maker told the expert that it was “making progress toward a solution,” and requested that he postpone publishing his blog post for “a few weeks.” Troy decided not to wait considering that the existence of the issue has already been made public on several websites.

Contacted by SecurityWeek, Nissan said it's working on resolving the security issue.

"Nissan is aware of a data issue relating to the NissanConnect EV app that impacts the climate control and state of charge functions. It has no effect whatsoever on the vehicle's operation or safety," the company said in an emailed statement. "Our global technology and product teams are currently working on a permanent and robust solution. We are committed to resolving the issue as a matter of priority, ensuring that we deliver the best possible experience for our customers through the app now and in the future."

In a second statement sent to SecurityWeek, Nissan said it decied to disable its NissanConnect EV app until the vulnerability is addressed:

"The NissanConnect EV app (formerly called CarWings and is used for the Nissan LEAF) is currently unavailable. This follows information from an independent IT consultant and subsequent internal Nissan investigation that found the dedicated server for the app had an issue that enabled the temperature control and other telematics functions to be accessible via a non-secure route.

No other critical driving elements of the Nissan LEAF are affected, and our 200,000 LEAF drivers across the world can continue to use their cars safely and with total confidence. The only functions that are affected are those controlled via the mobile phone – all of which are still available to be used manually, as with any standard vehicle. We apologize for the disappointment caused to our Nissan LEAF customers who have enjoyed the benefits of our mobile apps. However, the quality and seamless operation of our products is paramount.

This is not the first time researchers show that connected cars can be remotely hacked. Several experts demonstrated last year that attackers can remotely take control of a car’s various functions via in-vehicle connectivity and other systems.

As a result of such research, lawmakers in the United States have asked carmakers to take security seriously in an effort to protect their customers, and experts have launched new initiatives aimed at raising awareness and facilitating collaboration between researchers and the automotive industry.

Some carmakers have already started taking steps towards ensuring the safety of their customers and launched bug bounty programs to encourage security enthusiasts to responsibly disclose bugs. General Motors launched a vulnerability disclosure program last month, inviting experts to submit information on flaws found in any of its products and services.

Unlike Tesla, which is prepared to reward researchers with up to $10,000, GM is not offering any rewards in the initial phase of its program.

Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.